On Wed, May 6, 2015 at 4:27 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> You know, just this morning, I was thinking about enumeration. It
> doesn't work for IPA views at all for example. It doesn't work for
> trusted domains at all either (except for some limited support in AD
> trusted domains that is very untested)
>
> I wonder if we could just remove enumeration from IPA and AD back
> ends in some major release.
Please don't do this.
Enumeration is a very useful feature. It allows us to do things like
this:
$ getent passwd | grep -i lastname
The equivalent ldapsearch command is much more tedious:
$ ldapsearch -z 0 -E pr=2147483647/noprompt -o ldif-wrap=no -L -L -H
'ldap:///dc%3Dexample%2Cdc%3Dorg -Y GSSAPI -N -b "dc=example,dc=org"
"(&(objectClass=user)(cn=*lastname*))" dn cn sAMAccountName
More generically, enumeration is the way Unix/Linux has always worked.
Even getting users to change from:
grep -i lastname /etc/passwd
To this:
getent passwd | grep -i lastname
...has been a struggle.
We also have various services that (unfortuantely) pre-load the passwd
and group files at startup by enumerating them with getpwent_r() and
getgrent_r(), instead of using the get*nam_r() and get*id_r()
functions as-needed. These services break outright if enumeration is
disabled.
(Yes, these services are broken. Yes, they shouldn't do that. But our
ability to fix them is extremely limited at best, because we don't
control them.)
Finally, we have many systems that cannot be joined to Active
Directory (for policy reasons, not technical reasons). But we want to
use the same passwd/group entries on those systems as returned by sssd
on hosts that are joined to Active Directory. We do this by scraping
the output of "getent -s sss passwd" and "getent -s sss group" and
manually merging it into the local passwd and group files
(respectively) on these hosts.
> It's just a legacy feature, so those who need it can fall back to
> the LDAP provider..
But the LDAP provider doesn't support ID mapping; only the AD provider
does. And ID mapping is the main reason we use sssd.
I'm not asking you to make enumeration the default. It shouldn't be;
it should be something you only turn on if you need it, and you KNOW
you need it. But if you need it, you NEED it. Please don't take it
away.

Hi,
to preserve compatibility, I'd like to map the AD users' default group to a
local Linux group.
I don't want to add every AD user to the row in /etc/group and I don't want
to change default primary group of users in AD.
Is there a group mapping function in SSSD? Or am I completely wrong?
Thanks in advance
--
Domenico Viggiani

Hello,
I have a setup with two different AD domains a.com and b.com in separate forests. Im working with sssd-1.11.7
Everything is fine apart from sudo. When I issue an sudo, sssd performs authentications always on domain A even if the user logged in belongs to domain B.
How can I tell sssd to perform the searches in the domain of the logged in user?
Cristiano

Hi,
I have sssd installed on kubuntu 15.04, installed and configured sssd as
I used to do on any other distros I'm managing, and it crashes when I
have enumerate set to true. On normal ciscumstances, I could have it set
to false but this is a desktop environment, and I need to have all the
users listed on Simple Desktop Display Manager. How could I achieve this
and stop sssd from crashing ?
Thanks,
--------------------------------------------------------------------------------
Christian Tardif